LIagent not forwarding audit logs from SDDC to VMware Aria Operations for Logs
Article ID: 411562
Updated On:
Products
Issue/Introduction
The preinstalled LIagent on the SDDC appliance does not send the 'audit.log' log by default.
Environment
- SDDC 5.x
- VMware Aria Operations for Logs 8.18.x
Cause
The 'audit.log' logfile is an OS level logfile; it is not created by the SDDC manager. While the LI agent is preconfigured to send SDDC relevant logs, it needs to be configured to send Linux Systemd related logs.
Resolution
Ensure you have installed the Linux Systemd content pack on your Aria Operations for Logs Instance.
- Navigate to the 'Content Packs' menu, then 'Marketplace'.
- Find the 'Linux - Systemd' content pack, select and click 'Install'
- Confirm the content pack is installed under the 'Installed Content Packs' category in the middle column of the UI.
Next, we need to push the Linux Systemd agent template to the appropriate SDDC agent.
- Navigate to 'Management' and then 'Agents'.
- In the dropdown menu, copy the 'Linux -Systemd' template by clicking the copy icon to the right of the template.
- Give the group a name.
- Using the IP of the SDDC manager, filter for the agents you want to send the template to, and hit enter.
- When the target IP is listed, hit the 'Save New Group' button below the template configuration, at the bottom of the window.
You should now see audit events in the 'Explore Logs' tab for the SDDC host.
Additional Information
This method can be used to apply pre-configured templates, which are included with content packs. You can also configure your own agent configuration here.
When filtering for hosts, a template can be applied to multiple hosts by using different filters, like 'matches', 'does not match', 'starts with', and 'does not start with' in conjunction with either IP or Hostname.
Feedback
